This application claims the priority of German patent document 100 08 974.7, filed Feb. 25, 2000, the disclosure of which is expressly incorporated by reference herein.
The invention relates to a process for ensuring the data integrity of software that is imported into a control unit of a motor vehicle.
Recent increasing use of electronics and of communication links in vehicles has precipitated a growing demand for security. For example, microcontrollers, which are used for control purposes in many different areas of the vehicle, are often mutually connected by way of a bus system. In most cases, it is possible (for example, for diagnostic connection) to access this bus from outside the vehicle, and to communicate with the individual control units.
The method of operation of the control units is determined by software programs. Heretofore, the software used in a control unit (controller) has ordinarily been filed in a non-programmable memory (for example, in the case of masked microprocessors), so that the software cannot easily be manipulated. For example, the complete exchange of a memory chip for another memory chip can be detected and a corresponding reaction can take place.
However, the future use of programmable (particularly so-called flash-programmable) control units in the vehicle increases the risk of unauthorized manipulation of the software, and thus the method of operation of the control units. The software could easily be exchanged by unauthorized persons by reprogramming.
For security reasons and to meet legal requirements, measures must be taken either to prevent the changing of original software or to allow only authorized persons to make such changes.
In addition, it may be advantageous in the future to follow a uniform-parts concept, in which the same hardware is used in different models. The difference in the method of operation will then only be the software. This concept requires, of course, that certain software can be run only in an individual vehicle, and cannot easily be copied.
A large number of authentication processes and systems are known from the prior art. For example, U.S. Pat. No. 5,844,986 discloses a process for avoiding unauthorized intervention in a BIOS system of a PC. Based on a so-called public-key process with a public and a secret key, a cryptographic coprocessor, which contains a BIOS memory, authenticates and examines a BIOS change. The examination takes place by checking a digital signature embedded in the software that is to be imported.
European Patent Document EP 0 816 970 discloses a system for examining corporate software. This system for the authentication of a boot PROM memory comprises a memory part with a microcode. An authentication sector comprises a hash generator which generates hash data in response to the implementation of the microcode.
The above-mentioned processes or systems do not, however, permit a direct examination of software to be imported into a control unit of a motor vehicle.
It is therefore an object of the present invention to provide a process for ensuring the authenticity of software imported into a control unit of a motor vehicle.
This and other objects and advantages are achieved by the process according to the invention, in which a pair of keys is first generated for encrypting and decrypting electronic data. (In this context, a xe2x80x9ckeyxe2x80x9d generally is a coding and/or decoding parameter, conventional in known cryptographic algorithms). According to the present invention, the software is provided with an electronic signature by means of the first key. For verifying the authenticity of the software, a pertaining second key is filed in (or for) the control unit into which this software is to be imported. By means of this second key, the electronic signature of the software can be checked; if the check is positive, the software is accepted and can be used for controlling the control unit.
According to a first embodiment, a so-called symmetrical process can be used as the encryption, in which the two keys are identical. In fact, there is only one key which is used at different points. However, since the possibility always exists that a key filed in a control unit can be compromised, the security stage of a symmetrical process is not optimal. Such a process can therefore be used only where operations are involved which are not too critical with respect to security. To increase the security level, an additional activating protection can be used in the form of special hardware.
According to another preferred embodiment, an asymmetrical encryption process is selected which has a secret and a public key. In this case, the public key can be filed in, or for access by, the control unit. The software would then be marked by means of the secret key. As an alternative, the control unit or the vehicle itself can generate the asynchronous pair of keys and then file the secret key in the control unit. The public key would then have to be able to be read out, so that it can be used to mark the software. Naturally, in this last alternative, it would have to be ensured that the secret key cannot be read out.
Encryption algorithms with a secret and a public key are referred to as Public-Key processes in which the public key may be publicly known, whereas the secret key is known only at an authorized point, such as a trust center. Such cryptographic algorithms are, for example, Rivest, Shamir and Adleman (RSA Algorithm), Data Encryption Algorithm (DEA Algorithm) and similar algorithms. By means of the secret or public keyxe2x80x94analogously to a handwritten signaturexe2x80x94, a digital signature to an electronic document can be generated. Only the holder of the secret and/or public key can provide a valid signature. The authenticity of the document can then be checked by verification of the signature by means of the pertaining public and/or secret key. The secret key is sometimes also called a private key.
An unauthorized third party who does not know the correct key is unable to provide a valid signature. When manipulated and not correctly signed software is then loaded into a control unit, this is detected by the pertaining key, and the control unit is, for example, changed to an inoperable condition.
According to another embodiment of the invention, the key is filed in the boot sector of the control unit, which is usually protected in a special manner and cannot easily be overwritten. According to a further embodiment, the boot sector can be xe2x80x9cblockedxe2x80x9d after the inscription and the input of the key, so that further access, particularly a further inscription, is no longer possible. Thus, it would be ensured that the key filed in the boot sector is protected against manipulation.
In order to provide for the use of the software exclusively for an individual vehicle, the software provided for a control unit of a specific vehicle contains vehicle-individualizing information, such as the chassis number or other vehicle-individual data. This information is assigned to the software or integrated in it. Only after the assignment or integration of these data to or in the software, will this software then be signed by the key provided for this purpose. As described above, a control unit will accept the software only when the signature by means of the other assigned key is unobjectionably recognized.
Because the signature depends on the vehicle-individual information contained in the software, it cannot be subsequently changed. Software can only be fed so that it can be run by a control unit of a vehicle if the vehicle-individual information is not changed and actually corresponds to that of the vehicle. A copying of such vehicle-individualized software to another vehicle is therefore impossible because the vehicle-individual information cannot be changed without violating the signature.
In order to avoid an examination of the software every time a vehicle is started and the control units are run up, such an examination is performed preferably at least during importing of the software. When it is perfectly signed, it can be marked correspondingly, for example, by the setting of a flag, (which can otherwise not be influenced) in the control unit. Thereafter, the software will also be accepted during additional run-ups. In this manner, delays in the normal vehicle start can be avoided in. It should be ensured, however, that this flag cannot be influenced from the outside.
In order to provide another security level during the importation of software in the memories of the control unit, according to another embodiment of the invention, before the importing of the software, it should be possible to access the memory of the control unit only by means of a corresponding authorization. For this purpose, before the signed software is exported, an xe2x80x9cunlockingxe2x80x9d of the control unit is provided in a log-on step. When different access levels are used during the log-on, in addition, differently designed access rights may be awarded. For example, in the case of a diagnostic access, a logon would first be required, whereby the control unit recognizes by means of the fed access information the access rights and the authorization step connected therewith. Depending on the awarding of rights, the access authorizations may be classified from uncritical to very critical. According to an embodiment, a code is requested by the control unit and is checked with respect to validity. For this purpose, for example, a random number can be generated in the control unit which will then be processed and returned by the accessing party, for example, differently coded or signed. In the control unit, this information will then be examined, for example, by means of its own authentication key.
It is also possible to design the awarding of the access rights dynamically. For example, access certificates can be awarded whose certificate information indicates the access stage. Once an access certificate has been accepted, which can again take place by the checking of a signature by means of a key, the rights listed therein are granted.
Because of the centralization of the security function with respect to the granting of authentication rights, in contrast to the other control units, a control unit provided exclusively for access control should not be freely accessible in the motor vehicle, because, as a result of the physical removal of a control unit, the above-described protection mechanisms could be circumvented. A special (for example, mechanical) removal protection for such a security control unit is therefore desirable.
Furthermore, a special safety level can also be reached by designing a control unit composite, in which various control units are interconnected and are mutually dependent or test one another.
In order to exclude the risk that an individual control unit might be removed and replaced by another, an additional separate control unit removal protection can be useful. For this purpose, for example, a control unit authenticity check is performed sporadically in a vehicle, in which the control units are integrated. An inquiry is therefore directed to control units which these control units must answer by means of a specific expected information. If the information actually emitted by the control unit to be tested does not correspond to the expected information, or if the control unit does not answer, suitable safety measures will be taken.
Control units which are not critical with respect to security can, for example, be excluded from the communication composite. If the control unit is important for the operation of the vehicle, it is, for example, registered, marked or entered into a list so that the hardware-related manipulation on the respective control unit can at least be reconstructed. In one embodiment, the control units must respond upon request by means of a secret authentication key. An illegally exchanged control unit does not have such a key and will then be recognized and treated correspondingly.
Other objects, advantages and novel features of the present invention will become apparent from the following detailed description of the invention when considered in conjunction with the accompanying drawings.